Skip links

Marriott Hotels admits to third data breach in 4 years

Marriott Hotels has leaked data to attackers again and this time the culprits made off with 20GB of information, which reportedly included credit card info and internal company documents. 

The unnamed group behind the attack contacted privacy news site DataBreaches to share the news that it broke into a server at the Marriott hotel at Boston/Washington International Airport in Maryland late last month.

The group shared screenshots of customer credit card authorization forms including full card details and said its members were in communication with Marriott, but the hotel chain stopped talking. 

“We were acting like a red hat organization and they just stopped communicating with us,” a spokesperson told DataBreaches.

So-called “red hat hackers” are the less ethical cousins of white hats, the latter of whom often operate with permission from the organizations they target.

Both Marriott and the miscreants said that no money was exchanged, but the group did admit cash may have been the reason why communications dried up.

“[Marriott] went silent for no reason, it might be because of the high pricing, but we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world,” the culprits told DataBreaches. 

The attackers claim they are an international group that doesn’t encrypt data because they don’t want to interfere with businesses, and they say they don’t attack governments or critical infrastructure.  

How’d they get in? Social engineering

According to statements that Marriott made to DataBreaches, the attackers used social engineering to access a single employee’s computer. Marriott said they have no evidence the criminals accessed files beyond what the person they tricked had access to, and said they contained the breach within six hours.

Based on documents seen on DataBreaches, some of which were shared in the above-linked post, some of the information stolen was definitely sensitive. Internal business documents were included, while others contained information on hotel guests and staff including corporate card numbers, wage data, personal identifiable information and even a personnel assessment of a staff member at the hotel.

Marriott said it has to notify between 300 and 400 people, both guests and employees, due to the breach.

This data breach is only the latest attack on a Marriott-owned hotel. Most recently, attackers made off with 5.2 million guest records in 2020. A 2018 data leak was even larger, with 383 million booking records, 5.3 million unencrypted passport numbers and tens of millions of encrypted records stolen, too. In the case of the 2018 leak, it was breach of Marriott’s Starwood subsidiary’s guest reservation network – which it bought in 2016. That leak exposed the entire database – a full 500 million guest bookings over four years, making it one of the biggest breaches of an individual organization ever.

What has Marriott learned from all those breaches? According to the people behind the latest attack, not much. “Their security is very poor, there were no problems taking their data. At least we didn’t get access to the whole database, but even the part that we took was full of the critical data,” the group said.

The Register has contacted Marriott to learn more, but have yet to receive a reply. ®